Skip to content

Web

Some cool tricks for hacking websites

Cookies

  • jwt cookie's signature(after the last .) can be removed and still works as long as there's no checks for the signature 
    original: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJ1c2VyIjoibcSxY2hhZWwifQ.eXHXJZlQbME7lMLAnkGjqLhGFLXHuBD06mHMbaruqiM

decoded: {"alg": "HS256","typ": "JWS"}.{"user": "mıchael"}.eXHXJZlQbME7lMLAnkGjqLhGFLXHuBD06mHMbaruqiM

signature removed: {"alg":"none","typ":"JWS"}.{"user":"admin"}.

re-encoded: eyJhbGciOiJub25lIiwidHlwIjoiSldTIn0.eyJ1c2VyIjoiYWRtaW4ifQ.

Unicode

  • unicode variant of letters can be used to bypass certain checks, take this check for example in ruby 
    user = "michael" # fails the check  
user = "mıchael" # pass the check, 'ı' gets converted to I with .upcase 

if user =~ /[A-Z]/ or user == 'michael'
    print "Invalid Username/Password"
elsif password == "whatever" and user.upcase == "MICHAEL"
    print "Logged in"
else
    print "Try login with michael's credential"
end
  • Some unicode characters get converted to two or more when their case is changed. For example: "ß" when converted to uppercase becomes "SS".